obel1x.de

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Du befindest dich hier: start » content » serverbasics » docker
Zuletzt angesehen: docker-backup docker
content:serverbasics:docker

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
Nächste Überarbeitung		Vorherige Überarbeitung
content:serverbasics:docker [2024/05/19 01:04] – [Check Docker install] obel1xcontent:serverbasics:docker [2026/03/01 11:44] (aktuell) – [Fast Stop of all Containers] obel1x
Zeile 1: Zeile 1:
 ====== Docker (rootless) + Portainer ====== ====== Docker (rootless) + Portainer ======
  
-Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way.+Docker is a powerful solution for setting up Services. This short Introducion will give you hints how to setup Docker in a good way in userspace, so no root-access is needed for Docker.
  
-Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not.+Currently i am experimenting on that topic, so maybe this documentation will be ready to use, maybe not.
  
 Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5). Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5).
 +
 +__**Warning: This is a very strong advise NOT to use docker default in rootmode at all! **__  The reason is, that any service is able to talk to the Docker Daemon if there is a connection to the Docker socket in the Volumes (which some services require) - or simply if thers a bug somewhere. By that way, the Docker Container will be able to set up ANY service and bind ANY location on the Host, that the docker user may be able to see. So if the Service gets taken over and the service ist runnig as root… you know where you are.
 +
 +So just: Don't set up Docker rootfull at all if possible - its even not neeeded nowadays.
  
 ===== Filesystem Layout ===== ===== Filesystem Layout =====
  
-Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ).+Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1''for full support.
  
-I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are thinks that may not work even with that kernel.+I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are things that may not work even with that kernel - in the worst case, docker is unable to unlink files, so there will be huge Containers and Volumes and maybe Services will break.
  
 So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''. So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''.
  
-Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid. That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK !+Warning: you may have umask set your way - i prefer 007 as written before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid. 
 + 
 +That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK ! 
 + 
 +__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will change them in the container, making them unavaiable and break your Services !!!**__ 
 + 
 +__**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there (to the right values of course)!**__ 
 + 
 +A short hint: Docker rootless uses Sub(g)uids, which is a feature of Linux. That means each user has a range of userids (quite a huge range) and groupid which the user may use. Those will be exclusive reserved for that user. But it does not mean, that the User can acces the Files created by those Subuids! Also the UIDs are onyl a number - not a real user in Linux having a username- They cannot be used to logon or to work with. Docker manages internally which Host-Subuserid is assigned to which caontainer and to which userid inside the running container/service. Inside the Container, you may become that user having a real username and a (different) uid. 
 + 
 +===== Which Devices / Raid- Level ===== 
 + 
 +I strongly do not advise to use Raid5 with classical harddrives to run docker on it. If you plan to have large Data in /home/docker and you want to use xfs + Raid5 to better use your drive- space, than you should use another disc for the overlays of docker.
  
-__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container an break your Services !!!**__+For me, i switched to RAID1 on SSD an mounted that to /home/docker/.local where all Docker files will be stored. Large Data is than stored somewhere else if needed.
  
-__**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there!**__ 
 ===== Packages NOT to install ===== ===== Packages NOT to install =====
  
-I had really a lot of troubles with the package in the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]'' while they are not installing docker the same way, that docker would do. For example they will not be installed in User-Subspace only, but will use systems Docker executables installed in global paths. This is a problem when using btrfs - as btrfs is not fully compatible with docker. So i won't use this any more.+I had really a lot of troubles with the package Docker-Rootless in the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]'' while they are not installing docker the same way, that docker would do. For example they will not be installed in User-Subspace only, but will use systems Docker executables installed in global paths. This is a problem when using btrfs - as btrfs is not fully compatible with docker. So i won't use this any more.
  
 So i disabled the following packages and locked them to never install: So i disabled the following packages and locked them to never install:
Zeile 34: Zeile 49:
 ===== Docker- User ===== ===== Docker- User =====
  
-Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user have the **default group docker**.+Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user is in the **default group docker**.
  
 Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there). Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there).
Zeile 191: Zeile 206:
  
 Ceck the Environement to have the settings: Ceck the Environement to have the settings:
- 
 <code> <code>
 +
 docker@pcserver2023:~> Abgemeldet docker@pcserver2023:~> Abgemeldet
 Connection to localhost closed. Connection to localhost closed.
Zeile 205: Zeile 220:
  
 Now check ''docker info'': Now check ''docker info'':
 +
 <code> <code>
 docker@pcserver2023:~> docker info docker@pcserver2023:~> docker info
Zeile 262: Zeile 278:
 </code> </code>
  
-Important things:+==== Additional knowledge ====
  
   * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important!   * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important!
   * CGroup Version needs to be 2 or better   * CGroup Version needs to be 2 or better
 +  * If you see Docker complaining about Module aufs at start: do not care about - that module is obsolete
 +
 +===== IP-Filter =====
 +
 +When starting Docker, an the log says:
 +
 +<code>
 +level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted\ninsmod /lib/modul>
 +level=info msg="skipping firewalld management for rootless mode"
 +
 +</code>
 +
 +You first need to load the module with modprobe.
 +
 +For system startup, use ''/etc/modules-load.d''  and creat e a file ''docker-rootless.conf''  in it, containing that module.
  
 ===== IPTables ===== ===== IPTables =====
Zeile 286: Zeile 317:
  
 </code> </code>
- 
  
 ===== Configuring Docker Daemon ===== ===== Configuring Docker Daemon =====
Zeile 294: Zeile 324:
 ''~/.config/docker/daemon.json'' ''~/.config/docker/daemon.json''
  
-**by default, the path and the file is not existent, __create it new__  within the docker user**.+**by default, the path and the file is not existent, __create it new__ within the docker user**.
  
 For example, enable IPv6. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details. For example, enable IPv6. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
Zeile 300: Zeile 330:
  
 { {
- "experimental": true, 
- "ip6tables": true, 
  "ipv6": true,  "ipv6": true,
- "fixed-cidr-v6": "fd12:3456:789a:1::/64",+ "ip6tables": true, 
 + "fixed-cidr-v6": "fd12:3456:1:::/48", 
 + "iptables": true, 
 + "fixed-cidr": "172.1.0.0/16",
  "log-opts": {  "log-opts": {
    "max-size": "10m",    "max-size": "10m",
Zeile 312: Zeile 343:
 </file> </file>
  
-You need to adjust cidr to match your network, check first 4 blocks of ''ip addr''+Notice: Don't use ''userns-remap'' - this won't work and makes no sense in rootless!
  
-NoticeDon'use ''userns-remap''  this won'work and makes no sense in rootless.+Edit"experimental": true has been removed for ipv6 with docker v27. 
 + 
 +You need to adjust cidr to some unique ULA. ULAs are non internet routable adresses (like 192.X.X.X in ipv4). Select an unique adress only for that internal Docker network - you can choose anything that is not assigned anywhere else on your network to not cause trouble. 
 + 
 +Maybe use this tool to generate: [[https://www.unique-local-ipv6.com|https://www.unique-local-ipv6.com]] 
 + 
 + 
 +==== The default Network is not IPV6- enabled by default ==== 
 + 
 +If you specify no network, or use the network: default - than as the time of writing, IPV6 will not be enabled by default. 
 + 
 +So, in your docker-compose.yml you need the lines: 
 +<file> 
 + 
 +networks: 
 +# Still needs to be defined while without it won'enable ipv6 
 +  default: 
 +    driver: bridge 
 +    enable_ipv6: true 
 + 
 +</file> 
 + 
 +===== Networking in Docker rootless ===== 
 + 
 +If you read docs in the net about networking with Docker you may see docker0 as bridge networkWhile this network is also there in docker rootless, you will not find that network as interface on your host like you would on a rootful docker. 
 + 
 +Instead the network is encapsulated in the environement of rootlesskit and not visible to the host. From the Hosts view Docker is just another Application running on your Host talking to the internet like some app would do. 
 + 
 +===== Performance ===== 
 + 
 +when you install pasta- networking driver, you can edit your docker systemd and use a much improved networking-driver. 
 + 
 +Also you can make Docker a higher Priority and Nice-Value: 
 + 
 +<code> 
 +docker@server:~> systemctl --user edit docker.service 
 + 
 +[Service] 
 +# Higher Prio for Docker 
 +Nice=10 
 +IOSchedulingClass=best-effort 
 +IOSchedulingPriority=7 
 +# Use Pasta- network Driver (of your Host - Pasta needs to be installed) 
 +Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta" 
 +Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit" 
 +Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=--ipv6" 
 + 
 +</code>
  
 ===== Install docker compose ===== ===== Install docker compose =====
 +
 +**This Chapter may be obsolete as since docker v27 the compose plugin is part of installation script - check your output of ''docker info''  for the installed Plugins and if ''docker compose version''  already has a version. If so, skip this.**
  
 The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]). The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]).
Zeile 354: Zeile 434:
 #!/bin/bash #!/bin/bash
 #Upgrade docker rootless and plugin #Upgrade docker rootless and plugin
 +./docker_stop_all.sh
 +sleep 5
 systemctl --user stop docker systemctl --user stop docker
 +sleep 5
 +#uninstall
 rm -f ~/bin/dockerd rm -f ~/bin/dockerd
 +rm ~/.config/systemd/user/docker.service.bak
 +mv ~/.config/systemd/user/docker.service ~/.config/systemd/user/docker.service.bak
 +#reinstall docker compose
 +COMPOSE_VER='2.32.4'
 +rm $DOCKER_CONFIG/cli-plugins/docker-compose
 +echo "Download Docker Compose Release ${COMPOSE_VER} - please check at https://github.com/docker/compose/releases for the newes Version and change this File"
 +curl -SL https://github.com/docker/compose/releases/download/v${COMPOSE_VER}/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
 +chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
 +#install docker
 curl -fsSL https://get.docker.com/rootless | sh curl -fsSL https://get.docker.com/rootless | sh
 #need to give the new binary permissions to acces privileged network ports (beneath 1024) #need to give the new binary permissions to acces privileged network ports (beneath 1024)
 sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit
- +#this should be everything 
-If you installed docker compose, check the newest version first at https://github.com/docker/compose/releases/latest +docker info
-curl -SL https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose+
  
 </file> </file>
- 
  
 ===== Create a place for Yamls ===== ===== Create a place for Yamls =====
Zeile 437: Zeile 528:
 Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party: Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party:
  
-{{  .:screenshot_20231221_101150.png?968x260  }}+{{  :content:serverbasics:screenshot_20231221_101150.png?968x260  }}
  
 Thats all: Docker is running and serving your services, cheers! Thats all: Docker is running and serving your services, cheers!
 +
 +===== Fast Stop of all Containers =====
 +
 +This makes life easy ''docker_stop_all.sh'':
 +<file>
 +#!/bin/bash
 +docker stop $(docker ps -a -q)
 +docker rm $(docker ps -a -q)
 +
 +</file>
 +===== Find the latest Commit in git =====
 +
 +Sometimes the Repository does not offer a latest Tatg, so its hard to find the right Tag to use. Maybe this coding helps (not testet wheter to get the right commitid for the Image):
 +
 +<code>
 + if [ -z ${TVHEADEND_COMMIT+x} ]; then \
 +    TVHEADEND_COMMIT=$(curl -sX GET https://api.github.com/repos/tvheadend/tvheadend/commits/master \
 +    | jq -r '. | .sha'); \
 +  fi && \
 +
 +</code>
  
  
content/serverbasics/docker.1716073496.txt.gz · Zuletzt geändert: von obel1x
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki